Lush escapes ICO monetary penalty after thousands of customer details were exposed

The Information Commissioner's Office (ICO) has decided not to punish cosmetics group Lush for a major hack of its online trading site from October 2010 to January 2011.

The Information Commissioner's Office (ICO) has decided not to punish cosmetics group Lush for a major hack of its online trading site from October 2010 to January 2011.

The ICO found the company guilty of breaching the Data Protection Act by failing to keep customer data safe, but stopped short of imposing a monetary penalty.

Instead, Lush has signed an undertaking to prevent further data breaches by ensuring customer credit card data is processed in accordance with the Payment Card Industry Data Security Standard (PCI DSS).

The hack exposed the payment details of 5,000 customers who had previously shopped on the company's website.

At the time the hack was exposed, some industry analysts expected the ICO to impose a monetary penalty, but the privacy watchdog found that although the company had measures in place to keep customers' payment details secure, they were not sufficient to prevent a determined attack on its website.

The ICO also found that the retailer's methods of recording suspicious activity on its website were insufficient, which delayed the time it took to identify the security breach. Lush took four months to uncover the security breach, and did so only after receiving complaints from 95 customers who had been victims of card fraud.

"Lush took some steps to protect its customers' data, but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had it done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back," said Sally Anne Poole, acting head of enforcement at the ICO.

This breach should serve as a warning to all retailers that online security must be taken seriously and that the PCI DSS or an equivalent must be followed at all times, she said.

Mark Constantine, managing director of Lush has signed an undertaking committing the retailer to take necessary steps, including that the company only stores the minimum amount of payment data necessary to receive payments, and that this information will not be kept for longer than is necessary.

All future payments will be managed by an external provider compliant with the PCI DSS, and the retailer will also make sure that appropriate technical and organisational measures are employed and maintained.

Photo: Thinkstock



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:




  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...